Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk interviews and workshops
Answer: These interviews are based on collecting all the information for the Risk assessment sheet - i.e. listing all the assets, vulnerabilities, threats, impact, likelihood, and risk owner. These materials will help you:
- article ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- article How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
- webinar The basics of risk assessment and treatment according to ISO 27 001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
The other question is related to the training awareness for risk assessment to asset and risk owners - is there any material you have which can give examples or demonstrate what we need to cover in the training.
Answer: You should organize a workshop and teach them how to perform the whole process themselves. The best would be to take one department as an example, and list all the assets/threats/vulnerabilities for that department, as well as related impacts/likelihoods - this is partially explained in my book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Incident and Service Request Management vs, Incident Management Toolkit
Answer:
Incident and Service Request Process (https://advisera.com/20000academy/documentation/incident-and-service-request-management-process/ ) is just process description according to ISO 20000. On the other side, Incident Management Toolkit encompasses all you need for Incident management solely.
So, if you need to ensure all relevant processes are implemented on your Service Desk - include Request Fulfillment process as well as Service Asset and Configuration Management process, Change Management process, Problem Management process, Event Management process, Service Desk function, IT Operations Management function, Technical Management function, Application Management function. In such way you will cover most of the operational issues. Rest of the processes - depends how do the service look like. Please check ITIL® Documentation Toolkit (https://advisera.com/20000academy/itil-documentation-toolkit) which includes all mentioned processes and functions. -
Impact and likelihood values
Answer:
I am sorry but I am not sure what do you mean. Basically, threats and vulnerabilities can help you to calculate values for the impact and the likelihood, and with the impact (damage that a threat can cause to the organization) and the likelihood (likelihood that a threat can be materialized) you can calculate the risk.
So, a common way to calculate the risk is giving values to the impact and the likelihood, although another way for the calculation of the risk is giving values to the impact, threats and vulnerabilities.
The mitigation means that you have a risk treatment plan and you have implemented security controls to reduce the risks, and this implies that the impact or the likelihood have been reduce. So, generally after the mitigation the impact value or the likelihood value is reduced.
Anyway, this ar ticle can be interesting for you “ISO 27001 risk assessment & treatment - 6 basic steps” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
And also this one “ISO 27001 risk assessment: How to match assets, threats and vulnerabilities” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Finally, our online course can be also interesting for you because we give more information about the risk assessment “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Application risk assessment
Answer:
If you mean how to perform the risk assessment for a software, basically you need to perform the risk assessment in the same way that for another asset, identifying threats/vulnerabilities and calculating the risk considering the impact and the likelihood of the threats, but in the case of software, you need to identify threats/vulnerabilities specifically related to the software (for example, regarding threats: software errors, unauthorized use of software, malicious code, unauthorized installation of software, etc. and regarding vulnerabilities: complicated user interface, default passwords not changed, insufficiente software testing, etc.). Here you can see a catalogue of threats/vulnerabilities “Catalogue of threats & vulnerabilities” : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
This article can be also useful for you “ISO 27001 risk assessment: How to match assets, threats and vulnerabilities” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ cademy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
And also this one “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
Finally, our online course can be also interesting for you because we give more information about the risk assessment “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
System access by the security guard
Answer:
I am not sure what do you mean with security guards, but generally in an ISMS the CISO is responsible for the coordination of all activities related to the securing the information in a company, so, from my point of view, in your case, the CISO should define the access control policy, and in accordance with this policy, an expert technical (or any other person with sufficient knowledge about how to implement technically the access control policy) could give access to the system to the different employees.
This article can help you "How to handle access control according to ISO 27001" : https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
And our online course can be also interesting for you because we give more information about the ISMS and the access control “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Structure for a project plan
In this video tutorial you can see a filled sample of the Project plan: https://advisera.com/27001academy/tutorial/free-tutorial-how-to-set-up-iso-27001-project-writing-the-project-plan/ -
Existing controls decrease the level of risk
Nice topic!! always helpful. Thanks a lot! -
Guide for Indicators and risk assessment
Answer:
If your question is about measurement, ISO 27001 does not have this information, but you can find in ISO 27004 a complete guide of best practices about how to measure an Information Security Management System (completely compatible with ISO 27001). So, this standard can help you to develop formulas that can help you to assess every control in an organization.
Anyway, this article can help you “How to perform monitoring and measurement in ISO 27001” : https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
If your question is about the risk assessment, ISO 27001 simply defines requirements about the risk management, so ISO 27001 is not a guide, but you can use ISO 27005 -which a guide of best practices for the development of the risk management- as guide to perform the risk assessment.
This article can be also interesting for you “How to write ISO 270 01 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
And also this one “ISO 27001 risk assessment & treatment - 6 basic steps” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
Finally, our online course can be also interesting for you because we give more information about the measurement of an Information Security Management System, and also about the risk assessment “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Incorporating ISMS scope and policy into QMS
Answer:
Yes, the best way to maintain both quality and information security management systems is to create integrated management system that will fulfill requirements of both ISO 9001 and ISO 27001. Besides information security policy and the scope there are a lot of common requirements of both standards. There are clauses 7, 9 and 10 of ISO 27001:2013 and ISO 9001:2015 with practically the same requirements so they can be addressed at the same time.
For more information, see: Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/ -
Incident and Change Management in two separate SW tools?
Answer:
Generally, I would suggest to keep all processes in one tool i.e. that you manage all processes with single SW solution. Reason for that is that you will have all information in one place and many information will be transferred automatically between process activities (e.g. you enter only once information in Incident Management and them when you open a Problem ticket or Change request - same data will be transferred). If you don't have that (you asked for risks) - then there is a chance that some information will be lost (e.g. asset information which you need for Incident management as well as Change Management).